To exploit it, attackers need to trick users to click on specifically crafted links, but once they do that, they can leverage the flaw to steal authentication cookies. If the victim is a website's administrator, they could gain full control over that website.

The vulnerability can be mitigated by removing the example.html file that is part of the Genericons package or by upgrading to the newly released WordPress 4.2.2.

"All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file," the WordPress developers said in the release announcement.

Once installed, WordPress 4.2.2 scans the site's directory for the vulnerable HTML file and removes all instances of it.

In addition, the new version patches a second critical cross-site scripting flaw which, according to the WordPress developers, could let anonymous users compromise a site. It also hardens defenses for a potential XSS issue in the visual editor.